Multi-Function, Modular System for Network Security, Secure Communication, and Malware Protection

ABSTRACT

Representative embodiments are disclosed for providing network and system security. A representative apparatus includes an input-output connector coupleable to a data network; a network interface circuit having a communication port; a nonvolatile memory storing a configuration bit image; and a field programmable gate array (“FPGA”) coupled to the network interface circuit through the communication port, the FPGA configurable to appear solely as a communication device to the first network interface circuit, and to bidirectionally monitor all data packets transferred between the input-output connector and the first network interface circuit and any coupled host computing system. In another embodiment, the FPGA is further configurable for only a partial implementation of a communication protocol, such as a PCIe data link and/or physical layers. The FPGA may also monitor host memory and provide encryption and decryption functionality. The FPGA is not addressable within the computing system and therefore is largely undetectable by malware.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims the benefit of andpriority to U.S. patent application Ser. No. 16/023,668, filed Jun. 29,2018, inventors Jeremy B. Chritz et al., titled “Multi-Function, ModularSystem for Network Security, Secure Communication, and MalwareProtection”, which is continuation of and claims the benefit of andpriority to U.S. patent application Ser. No. 15/230,387, filed Aug. 6,2016 and issued Aug. 7, 2018 as U.S. Pat. No. 10,043,041 B2, inventorsJeremy B. Chritz et al., titled “Multi-Function, Modular System forNetwork Security, Secure Communication, and Malware Protection”, whichis continuation of and claims the benefit of and priority to U.S. patentapplication Ser. No. 14/608,438, filed Jan. 29, 2015 and issued Sep. 13,2016 as U.S. Pat. No. 9,444,827 B2, inventors Jeremy B. Chritz et al.,titled “Multi-Function, Modular System for Network Security, SecureCommunication, and Malware Protection”, which is a nonprovisional of andclaims the benefit of and priority to U.S. Provisional PatentApplication No. 61/940,413, filed Feb. 15, 2014, inventors Jeremy B.Chritz et al., titled “Multi-Function, Modular System for NetworkSecurity, Secure Communication, and Malware Protection”, which arecommonly assigned herewith, the entire contents of which areincorporated herein by reference with the same full force and effect asif set forth in their entireties herein, and with priority claimed forall commonly disclosed subject matter.

FIELD OF THE INVENTION

The present invention relates generally to network security, and morespecifically to a multi-function, modular system which can providenetwork security, secure communication, and malware protection.

BACKGROUND

Network security is an increasing problem throughout the world, for anynetwork coupled to the Internet, with computer viruses, worms, Trojanhorses, and other computing system malware (individually andcollectively referred to as “malware”) resulting in expensive datalosses, theft of intellectual property, theft of financial information,privacy intrusions, identity theft, and so on. This continues to be aproblem not only for private industry, but also governmental entitiessuch as the military, and regulated industries such as power companies.Any successful attack on the networks of such entities can bedevastating nationally and globally.

Software approaches to such network security, such as through anti-virusand anti-malware programs, have limited utility. They may becomparatively slow to operate, and typically do not provide immediateprotection against new threats. Network security software may also bereadily circumvented in sophisticated malware attacks.

Accordingly, a need remains for a system having both hardware andsoftware co-design to provide for significant network security, securecommunications, and malware protection. Such a system should be modularfor use in any number of different types of systems, and further providefor minimal host involvement.

SUMMARY OF THE INVENTION

The exemplary embodiments of the present invention provide numerousadvantages. Exemplary embodiments provide for using a field programmablegate array (“FPGA”) arranged between a network and host computingsystem, and effectively undetectable by either the network or the hostcomputing system. This allows the FPGA to monitor all data traffic intothe host computing system from a network and into the network from thehost computing system.

A representative apparatus embodiment comprises: an input-outputconnector coupleable to a data network; a first network interfacecircuit coupleable to a first PCIe communication line for communicationwith a host computing system, the first network interface further havingat least one communication port; a nonvolatile memory storing aconfiguration bit image; and a field programmable gate array coupled tothe input-output connector and to the nonvolatile memory, the fieldprogrammable gate array further coupled to the first network interfacecircuit through the at least one communication port, the fieldprogrammable gate array configurable using the configuration bit imageto appear solely as a communication device to the first networkinterface circuit when coupled to the at least one communication port,and the field programmable gate array configurable to bidirectionallymonitor all data packets transferred between the input-output connectorand the first network interface circuit and any coupled host computingsystem.

In a representative embodiment, the field programmable gate array may befurther configurable to detect a malware data packet. In arepresentative embodiment, the field programmable gate array may befurther configurable, in response to detection of a malware data packetfrom the host computing system, to halt the host computing system.

In a representative embodiment, the field programmable gate array may befurther configurable, in response to detection of a malware data packetfrom the input-output connector or the data network, to discard themalware data packet or to monitor an operation implemented using themalware data packet.

In a representative embodiment, the field programmable gate array may befurther configurable to monitor a host memory and, in response to anunauthorized modification, to halt a host processor and restore a hostoperating system. In a representative embodiment, the nonvolatile memoryfurther stores an operating system image, and the field programmablegate array is further configurable to monitor the host operating systemand, in response to an unauthorized modification, to restore the hostoperating system using the operating system image. A representativeembodiment may also further comprise a second memory coupled to thefield programmable gate array, the second memory storing an operatingsystem image, and the field programmable gate array is furtherconfigurable to monitor the host operating system and, in response to anunauthorized modification, to restore the host operating system usingthe operating system image.

In another representative embodiment, the field programmable gate arraymay be further configurable to decrypt all data packets from theinput-output connector and to encrypt all data packets from the firstnetwork interface circuit and any coupled host computing system.

In a representative embodiment, the at least one communication port is aserial gigabit media independent interface port.

A representative embodiment may also further comprise a second PCIecommunication line coupled to the field programmable gate array; whereinthe field programmable gate array is further configurable using theconfiguration bit image for only a partial implementation of acommunication protocol. In a representative embodiment, the partialimplementation of the communication protocol is a PCIe physical layer,or a PCIe physical layer and a PCIe data link layer.

Another representative apparatus embodiment comprises an input-outputconnector coupleable to a data network; a first network interfacecircuit coupleable to a first PCIe communication line for communicationwith a host computing system, the first network interface further havingat least one communication port; a nonvolatile memory storing aconfiguration bit image; and a field programmable gate array coupled tothe input-output connector and to the nonvolatile memory, the fieldprogrammable gate array further coupled to the first network interfacecircuit through the at least one communication port, the fieldprogrammable gate array further coupleable to a second PCIecommunication line for communication with the host computing system, thefield programmable gate array configurable using the configuration bitimage to appear solely as a communication device to the first networkinterface circuit when coupled to the at least one communication port,the field programmable gate array further configurable using theconfiguration bit image for only a partial implementation of acommunication protocol, and the field programmable gate arrayconfigurable to bidirectionally monitor all data packets transferredbetween the input-output connector and the first network interfacecircuit and any coupled host computing system.

A representative embodiment of a network interface circuit board is alsodisclosed, comprising: an input-output connector coupleable to a datanetwork; at least one first PCIe communication line; at least one PCIeconnector to couple the at least one first PCIe communication line to ahost computing system; a first network interface circuit coupleable tothe first PCIe communication line for communication with a hostcomputing system, the first network interface further having at leastone communication port; a nonvolatile memory storing a configuration bitimage; and a field programmable gate array coupled to the input-outputconnector and to the nonvolatile memory, the field programmable gatearray further coupled to the first network interface circuit through theat least one communication port, the field programmable gate arrayconfigurable using the configuration bit image to appear solely as acommunication device to the first network interface circuit when coupledto the at least one communication port, the field programmable gatearray configurable to bidirectionally monitor all data packetstransferred between the input-output connector and the first networkinterface circuit and any coupled host computing system.

A representative embodiment for a method of providing network securityis also disclosed in a system having a field programmable gate array(“FPGA”) coupled between a network and a first network interface circuitcoupleable to a host computing system, the method comprising:configuring the field programmable gate array to appear as acommunication device to the first network interface circuit; and usingthe field programmable gate array, bidirectionally monitoring all datapackets transferred between the first network interface circuit and thehost computing system.

In a representative embodiment, the field programmable gate array isconfigured with a device name and link speed to appear as acommunication device to a serial gigabit media independent interfaceport of the first network interface circuit.

In a representative embodiment, the method may further comprise: usingthe field programmable gate array, detecting a malware data packet, andin response to a detection of a malware data packet, performing at leastone action selected from the group consisting of: halting the hostcomputing system; discarding the malware data packet; monitoring anoperation implemented using the malware data packet; and halting a hostprocessor and restoring a host operating system.

In another representative embodiment, the method may further compriseconfiguring the field programmable gate array for only a partialimplementation of a communication protocol, such as a PCIe physicallayer, or a PCIe physical layer and a PCIe data link layer.

A representative multi-function, modular apparatus embodiment comprises:a plurality of PCIe communication lines, a first PCIe communication linecouplable to a first network interface circuit, and a second PCIecommunication line couplable to a host computing system; a nonvolatilememory storing a configuration bit image; and a field programmable gatearray coupled to the first PCIe communication line for communicationwith the first network interface circuit and further coupled to thesecond PCIe communication line for communication with the host computingsystem, the field programmable gate array further coupled to thenonvolatile memory, the field programmable gate array configurable usingthe configuration bit image for only a partial implementation of acommunication protocol, and the field programmable gate arrayconfigurable to bidirectionally monitor all data packets transferredbetween the first network interface circuit and the host computingsystem.

In a representative embodiment, the field programmable gate array isfurther configurable to detect a malware data packet. Also in arepresentative embodiment, the field programmable gate array is furtherconfigurable, in response to detection of a malware data packet from thehost computing system, to halt the host computing system. Also in arepresentative embodiment, the field programmable gate array is furtherconfigurable, in response to detection of a malware data packet from thefirst network interface circuit, to discard the malware data packet. Inanother representative embodiment, the field programmable gate array isfurther configurable, in response to detection of a malware data packetfrom the first network interface circuit, to monitor an operationimplemented using the malware data packet.

In a representative embodiment, the communication protocol is PCIe andthe field programmable gate array is configurable only for a physicallayer and a data link layer of the PCIe protocol.

In another representative embodiment, the field programmable gate arrayis further configurable to monitor a host memory and, in response to anunauthorized modification, to halt a host processor and restore a hostoperating system. In a representative embodiment, the nonvolatile memoryfurther stores an operating system image, and the field programmablegate array is further configurable to monitor the host operating systemand, in response to an unauthorized modification, to restore the hostoperating system using the operating system image. In anotherrepresentative embodiment, the apparatus further comprises a secondmemory coupled to the field programmable gate array, the second memorystoring an operating system image, and the field programmable gate arrayis further configurable to monitor the host operating system and, inresponse to an unauthorized modification, to restore the host operatingsystem using the operating system image.

In another representative embodiment, the field programmable gate arrayis further configurable to decrypt all data packets from the firstnetwork interface circuit;

and also the field programmable gate array is further configurable toencrypt all data packets from the host computing system.

In another representative embodiment, the apparatus further comprises atleast one PCIe connector coupled to the plurality of PCIe communicationlines for coupling to a first network interface circuit. For example,the field programmable gate array, the nonvolatile memory, the pluralityof PCIe communication lines, and the at least one PCIe connector may becollocated on a first circuit board, and the first network interfacecircuit is located on a second circuit board couplable to the firstcircuit board using the at least one PCIe connector. Also for example,the first and second circuit boards may be rack-mountable.

In another representative embodiment, the apparatus further comprises asecond network interface circuit couplable to a trusted network.

In a representative embodiment, the field programmable gate array is notaddressable by the first network interface circuit or by the hostcomputing system.

Another representative embodiment provides a network interface circuitboard, comprising: a first network interface circuit; at least one PCIeconnector; a plurality of PCIe communication lines, a first PCIecommunication line couplable to the first network interface circuit, anda second PCIe communication line couplable through the at least one PCIeconnector to a host computing system; a nonvolatile memory storing aconfiguration bit image; and a field programmable gate array coupled tothe first PCIe communication line for communication with the firstnetwork interface circuit and further coupled to the second PCIecommunication line for communication with the host computing system, thefield programmable gate array further coupled to the nonvolatile memory,the field programmable gate array configurable using the configurationbit image for only a partial implementation of a communication protocol,and the field programmable gate array configurable to bidirectionallymonitor all data packets transferred between the first network interfacecircuit and the host computing system.

A method of providing network security in a system having a fieldprogrammable gate array (“FPGA”) coupled between a host computing systemand a first network interface circuit is also disclosed, with the methodcomprising: configuring the field programmable gate array for only apartial implementation of a communication protocol; and using the fieldprogrammable gate array, bidirectionally monitoring all data packetstransferred between the first network interface circuit and the hostcomputing system.

A representative method embodiment may further comprise using the fieldprogrammable gate array to detect a malware data packet. In arepresentative embodiment, the method may further comprise using thefield programmable gate array, and in response to a detection of amalware data packet from the host computing system, halting the hostcomputing system. In a representative embodiment, the method may furthercomprise using the field programmable gate array, and in response to adetection of a malware data packet from the first network interfacecircuit, discarding the malware data packet. In a representativeembodiment, the method may further comprise using the field programmablegate array, and in response to a detection of a malware data packet fromthe first network interface circuit, monitoring an operation implementedusing the malware data packet.

A representative method embodiment may further comprise configuring thefield programmable gate array to monitor a host memory and, in responseto an unauthorized modification, to halt a host processor and restore ahost operating system.

A representative method embodiment may further comprise configuring thefield programmable gate array to decrypt all data packets from the firstnetwork interface circuit. A representative method embodiment mayfurther comprise configuring the field programmable gate array toencrypt all data packets from the host computing system.

Numerous other advantages and features of the present invention willbecome readily apparent from the following detailed description of theinvention and the embodiments thereof, from the claims and from theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The objects, features and advantages of the present invention will bemore readily appreciated upon reference to the following disclosure whenconsidered in conjunction with the accompanying drawings, wherein likereference numerals are used to identify identical components in thevarious views, and wherein reference numerals with alphabetic charactersare utilized to identify additional types, instantiations or variationsof a selected component embodiment in the various views, in which:

FIG. 1 is a block diagram illustrating an exemplary or representativefirst system embodiment.

FIG. 2 is a block diagram illustrating an exemplary or representativesecond system embodiment.

FIG. 3, divided into FIGS. 3A and 3B, is a block diagram illustrating anexemplary or representative first modular apparatus embodiments.

FIG. 4 is a flow diagram illustrating an exemplary or representativemethod embodiment.

FIG. 5 is a block diagram illustrating an exemplary or representativethird system embodiment and second apparatus embodiment.

FIG. 6 is a block diagram illustrating an exemplary or representativefourth system embodiment and third apparatus embodiment.

FIG. 7 is a block diagram illustrating an exemplary or representativefourth apparatus embodiment.

DETAILED DESCRIPTION OF REPRESENTATIVE EMBODIMENTS

While the present invention is susceptible of embodiment in manydifferent forms, there are shown in the drawings and will be describedherein in detail specific exemplary embodiments thereof, with theunderstanding that the present disclosure is to be considered as anexemplification of the principles of the invention and is not intendedto limit the invention to the specific embodiments illustrated. In thisrespect, before explaining at least one embodiment consistent with thepresent invention in detail, it is to be understood that the inventionis not limited in its application to the details of construction and tothe arrangements of components set forth above and below, illustrated inthe drawings, or as described in the examples. Methods and apparatusesconsistent with the present invention are capable of other embodimentsand of being practiced and carried out in various ways. Also, it is tobe understood that the phraseology and terminology employed herein, aswell as the abstract included below, are for the purposes of descriptionand should not be regarded as limiting.

FIG. 1 is a block diagram illustrating an exemplary or representativefirst system 100 embodiment. As illustrated in FIG. 1, the system 100includes one or more host computing systems 105, such as a computer orworkstation, having one or more central processing units (CPUs) 110,which may be any type of processor, and host memory 120, which may beany type of memory, such as a hard drive or a solid state drive, andwhich may be located with or separate from the host CPU 110, all forexample and without limitation, and as discussed in greater detailbelow. The memory 120 typically stores an operating system, one or moreapplications, and data for the host computing system 105, and dependingupon the selected embodiment, may also store one or more configurationbit files or images for a selected application. Not separatelyillustrated, any of the host computing systems 105 may include aplurality of different types of processors, such as graphics processors,multi-core processors, etc., also as discussed in greater detail below.

In the system 100, the one or more host computing systems 105 aretypically coupled through one or more communication channels or lines,illustrated as PCI express (Peripheral Component Interconnect Express or“PCIe”) lines 130 (either directly or through a PCIe switch 125 (FIG. 2)(such as a PLX switch), to a configurable logic element such as one ormore FPGAs 150 (such as a Spartan 6 FPGA or ARTIX 7 FPGA, for exampleand without limitation) which has been configured, as discussed ingreater detail below, for one or more of the network securityapplications of this disclosure. As there may be other FPGAs 160 withinthe system (as illustrated in FIG. 2), FPGA 150 may also be referred toas the network security FPGA 150. FPGAs 150 and 160 may be the same typeof FPGA, and are provided with different reference numerals solely todifferentiate the specific functions assigned to and the location of thenetwork security FPGA 150. For example, the various FPGAs 150, 160 maybe on identical circuit boards or modules 170, 180, for example, and maybe interchangeable.

The FPGA 150 in turn is coupled to a nonvolatile memory 140, such as aFLASH memory, and optionally to another memory 190, such as any type ofrandom access memory (e.g., one or more DDR2 SODIMM integrated circuits,for example and without limitation), as discussed in greater detailbelow. The network security FPGA 150 is further coupled, also via a PCIeline 130, to a first or primary network interface (circuit) 115, whichmay be any type of network interface circuit (typically embodied as anintegrated circuit, such as the network interface circuitry availablefrom Intel Corp.), which provides an interface to a network, such as anEthernet interface, also for example and without limitation. Optionally,network security FPGA 150 may also be further coupled, also via a PCIeline 130, to a second or secondary network interface 155, which also maybe any type of network interface (as mentioned above, such as anEthernet interface), which provides a separate interface to a nonpublic,trusted network, also for example and without limitation. In analternative embodiment, the secondary network interface 155functionality may be incorporated directly into the input-outputfunctionality of the network security FPGA 150.

In a first embodiment, the network security FPGA 150, primary networkinterface 115, memory 140, and optionally memory 190 and secondarynetwork interface 155, are collocated on a dedicated circuit board 175,as a network interface card (“NIC”) embodiment, such as for use in ahost computing system 105, which may have any embodiment, such as alaptop, a tablet, a desktop, a server, etc., all for example and withoutlimitation. In a second, modular embodiment illustrated in FIGS. 3A and3B, the network security FPGA 150, memory 140, and optionally memory190, are collocated on a first, modular circuit board 180 (discussed ingreater detail below), which is couplable as a module to a secondmodular circuit board 185 which contains one or more primary networkinterfaces 115 and optionally one or more secondary network interface155, both of which function as modules in a rack mounted system havingmany such boards 180, 185, such as those available from Pico Computingof Seattle, Washington US, such as the system 200 illustrated in FIG. 2.Not separately illustrated for FIGS. 3A and 3B, those having skill inthe art with recognize that to coincide with a system 400 embodimentdiscussed below, a plurality of FPGAs 150 with I/O connector(s) 415 maybe substituted in place of the primary network interfaces 115 of FIG.3B, and a primary network interface 115 substituted in place of the FPGA150 in FIG. 3A, but with the plurality of FPGAs 150 of FIG. 3B providedwith connections to the memory 140 in FIG. 3A.

FIG. 2 is a block diagram illustrating an exemplary or representativesecond system 200 embodiment. The system 200 differs insofar as a PCIeswitch 125 is also included for communication between and among thevarious illustrated components, along with a plurality of modules 180,and serves to illustrate the components typically found in a rackmounted system available from Pico Computing of Seattle, Wash. US.

For example, in an exemplary embodiment, each of the modular circuitboards 180 have corresponding PCIe input-output (I/O) connectors 230 toplug into mating I/O connectors 235, on either the modular networkinterface board 185, or into another region or slot of a backplane 205board (also available from Pico Computing of Seattle, Wash. US). Forpurposes of the present disclosure, both systems 100 and 200 functionssimilarly, and any and all of these system configurations are within thescope of the disclosure. Not separately illustrated in FIGS. 1, 2, 3Aand 3B, 5 and 6, each of the various circuit modules or boards 170, 175,180, 185 typically include many additional components, such as powersupplies, additional memory, additional input and output circuits andconnectors, switching components, possibly timing or clock components,etc.

As a consequence, for purposes of the present disclosure, a system 100,200 comprises one or more host computing systems 105, couplable throughone or more communication lines (such as PCIe communication lines,directly or through a PCIe switch 125), to one or more network securityFPGAs 150. In turn, the network security FPGA 150 is coupled through oneor more communication lines, also such as PCIe communication lines 130,to one or more primary network interfaces 115, which may be collocatedwith the network security FPGA 150 on the same circuit board (175) orwhich may be on separate circuit boards (180, 185).

FIG. 5 is a block diagram illustrating an exemplary or representativethird system 400 embodiment and second apparatus 450 embodiment. FIG. 6is a block diagram illustrating an exemplary or representative fourthsystem 500 embodiment and third apparatus 450A embodiment. Referring toFIGS. 5 and 6, the second apparatus 450 and third apparatus 450A arealso illustrated network interface card embodiments as described above,but differ in that the network security FPGA 150 is coupled toinput-output (“I/O”) connector(s) 415, such as an RJ45 Ethernet jack,for direct communication to an external network, such as a nontrustedpublic network. The network security FPGA 150, through its internal dataoutput drivers and data input receivers (not separately illustrated),provides for such external communication, typically in analog form. Thenetwork security FPGA 150, in turn, is coupled to a primary networkinterface 115, via communication line 410, and the primary networkinterface 115 is coupled to a host computing systems 105, such as viaPCIe lines 130 as illustrated in FIG. 5, or optionally coupled through aPCIe switch 125 to a host computing systems 105, as illustrated in FIG.6. The second apparatus 450 and third apparatus 450A differ insofar asthird apparatus 450A may also include an optional connection fromnetwork security FPGA 150 to a PCIe switch 125, and in that event, thenetwork security FPGA 150 may also be configured as discussed above andbelow for system 100, 200 embodiments. Additional I/O 430 may also beprovided to and from the network security FPGA 150, such as foradditional access by a system administrator. Not separately illustrated,the apparatus 450, 450A (and 450B) embodiments may be coupled (such asto PCIe lines 130) through one or more connector(s) 230, or have any ofthe other components, such as additional, second memory 190, a secondnetwork interface, etc., as previously discussed.

In an exemplary or representative system 400, 500 embodiment, thenetwork security FPGA 150 is coupled to the primary network interface115 through a different mechanism, illustrated as communication line410, which is coupled to a special port or interface 420 of the primarynetwork interface 115, in order to appear to the primary networkinterface 115 and the rest of the system 400, 500 as anothercommunication module, such as a fiber optic communication module,typically by coupling into a serial gigabit media independent interface(as the interface 420), e.g., SGMII, of the primary network interface115. As a result, the network security FPGA 150 appears as aneffectively transparent Ethernet (or other network) port within thesystem 400, 500 and, in addition, is not a PCIe endpoint device, so doesnot require any implementation of any PCIe communication protocol stack(discussed below). Rather, the network security FPGA 150 is typicallyconfigured to appear to the primary network interface 115 as a supportedcommunication device, such as a supported phy or (phi (“Φ” or “φ”))device, such as a configuration including a supported data link speedand a known phy (or phi) name.

From the standpoint of the host computing systems 105 and any incomingor outgoing malware, for example, the network security FPGA 150 iseither effectively invisible (i.e., undetectable) or appears as nothingmore than part of the primary network interface 115. Nonetheless, thenetwork security FPGA 150 may access anything coupled to the hostcomputing systems 105, such as to protect and rewrite host memory 120 inthe event of a virus or malware infiltration, and further, may examineall incoming network traffic (from I/O connector(s) 415, though networksecurity FPGA 150, primary network interface 115, to the host computingsystems 105) and all outgoing network traffic from the host computingsystems 105 (via the primary network interface 115, the network securityFPGA 150, and I/O connector(s) 415).

The third system 400, and depending on how implemented, the fourthsystem 500 therefore provide for truly stealth security, as the networksecurity FPGA 150 is truly invisible to the host computing systems 105and any incoming or outgoing malware, virus, etc. As the networksecurity FPGA 150 also is not a PCIe endpoint device, it does notrequire any type of PCIe addressing or protocols, so no mechanism isprovided for malware or a malware bot to explore and find the networksecurity FPGA 150 within the system 400, 500.

FIG. 7 is a block diagram illustrating an exemplary or representativefourth apparatus 450B embodiment, and illustrates a useful variation.This embodiment differs from those discussed above insofar as a primarynetwork interface 115A is implemented which has additionalconfigurability for multiple input and output ports. For thisembodiment, the primary network interface 115A is coupled to I/Oconnector(s) 415 for data transmission and reception, but all incomingand outgoing data traffic is routed (bi-directionally) through a networksecurity FPGA 150 (also not a PCIe endpoint device), as illustrated, andotherwise functions as discussed above (and below) for systems 100, 200,400, 500.

The systems 100, 200, 400, 500 enable one of the significant features ofthe present disclosure, namely, the stealth or “ghost” operation of thenetwork security FPGA 150. For purposes of the present disclosure, allthat is required is that the network security FPGA 150 be coupled inbetween the primary network interface 115 and I/O connector(s) 415 forexternal communication, for systems 400, 500, or between any hostcomputing system 105 and a primary network interface 115, for systems100, 200 (and possibly 500), such that the network security FPGA 150“sees” all data traffic moving both into and out of a system 100, 200,400, 500 and, moreover, does so in a way that it is effectivelyinvisible or undetectable within the system 100, 200, 400, 500, i.e.,from the perspective of the system 100, 200, the network security FPGA150 (including the modular circuit board 180 or 450, 450A) is merely adata conduit or pipe, having no further detectable presence within thesystem 100, 200, 400, 500.

In the event that a network security FPGA 150 is coupled as a PCIeendpoint device, such as in systems 100, 200, and possibly 500, toprovide for the network security FPGA 150 to appear within the system100, 200 (500) as merely a data conduit or pipe, i.e., to be a stealthor “ghost” device within the system 100, 200, at least one first part ofits configuration (typically stored and provided in memory 140) istightly controlled and limited, namely, the network security FPGA 150does not implement any network or communication protocol which wouldmake it addressable and therefore visible in the system 100, 200 (500).More specifically, the network security FPGA 150 does not implement thecomplete PCIe protocol stack, and specifically implements no more thanthe physical layer and the data link layer, and not the transactionlayer, of the PCIe protocol. Similarly, any processor core (notseparately illustrated) within the network security FPGA 150 also doesnot implement any network or communication protocol which would make itaddressable; for example, it does not implement DHCP (dynamic hostconfiguration protocol). For other communication or network protocols,so long as the entire protocol stack is not implemented in a way thatthe network security FPGA 150 would be addressable or otherwise visible,the remainder of the protocol stack may be implemented as necessary ordesirable for any selected embodiment.

As a result, for this type of system 100, 200 (500) embodiment, theprimary network interface 115 and the host computing system 105effectively do not know of the existence of the network security FPGA150 within the system 100, 200 (500). Stated another way, the networksecurity FPGA 150 is not given a false identity within the system 100,200, it is given no identity. Within the system 100, 200 (500), itmerely looks like part of the physical PCIe communication line 130, fromthe perspective of both the primary network interface 115 and the hostcomputing system 105. Stated another way, from the perspective of thehost computing system 105, the network security FPGA 150 appears tomerely be the primary network interface 115, and from the perspective ofthe primary network interface 115, the network security FPGA 150 appearsto be the host computing system 105 (or another component within thesystem 100, 200).

Also similarly, the memory 140 (and any memory 190) are also shielded bythe network security FPGA 150, as they have no link into the system 100,200 except through the network security FPGA 150. Accordingly, thememories 140 and 190 also remain as trusted components within the system100, 200, 400, 500.

As a result, any malware entering the system 100, 200, 400, 500 alsocannot detect the network security FPGA 150, such as by probing, andlacking any physical address within the system 100, 200, 400, 500, anymalware cannot communicate with the network security FPGA 150.

By the network security FPGA 150 being coupled in between the primarynetwork interface 115 and I/O connector(s) 415 for externalcommunication, or by being coupled between the primary network interface115 and the host computing system 105, the network security FPGA 150 canhave many different functions, all within the scope of the presentdisclosure. First, it can examine any and all data packets entering thesystem 100, 200, 400, 500 through the I/O connector(s) 415 or primarynetwork interface 115, allowing it to intervene in the event of amalware data packet. For example, it can refrain from forwarding a datapacket from the I/O connector(s) 415 or the primary network interface115 into the system 100, 200, 400, 500, e.g., the network security FPGA150 may discard the malware data packet. Any method of malware detectionwhich is currently known or which becomes known may be utilized and iswithin the scope of the present disclosure, e.g., comparison of a hashresult computed from a data packet with a list or database of resultsindicative of malware, for example and without limitation.

Secondly, this data examination is bi-directional, namely, the networksecurity FPGA 150 may also examine any and all data packets from thehost computing system 105 which could enter the larger network throughthe primary network interface 115, also allowing it to intervene in theevent of a malware data packet which originates from the host computingsystem 105, e.g., in the event the host computing system 105 is infectedwith malware from another source, such as from a thumb drive or anotherdrive which may be coupled to the host computing system 105 through aUSB port, for example and without limitation.

The network security FPGA 150 may also be configured to monitor anymalware entering the system 100, 200, 400, 500, such as to determine itsorigin, and to determine what operations the malware has been designedto perform. For example, the network security FPGA 150 may monitor thehost memory 120 and discover how the malware might be behaving.

While the network security FPGA 150 cannot be seen within the system100, 200, 400, 500, it nonetheless has access to the PCIe communicationlines 130, and can read and write data from and to anywhere in thesystem 100, 200, 400, 500, without host CPU 110 involvement, includingmanipulating the host memory 120. For example, the network security FPGA150 may examine (read from) the host memory 120, and in response todetection of malware, such as in the host operating system stored inmemory 120, may halt the host CPU 110 and rewrite the host operatingsystem, e.g., write over the infected host operating system (using aversion of the host operating system stored in either of the trustedmemories 140, 190), thereby eliminating the malware and restoring thehost operating system to an uninfected state.

Another significant feature of the network security FPGA 150 interposedbetween the host computing system 105 and the primary network interface115, particularly in the modular system illustrated in FIGS. 3A and 3B,5 and 6, is that the network security FPGA 150 may also be configured toperform real-time, network rate encryption of outgoing data packets anddecryption of incoming data packets.

As a consequence, this system 100, 200, 400, 500 configuration, usingthe circuit board modules 180, 185, 450, 450A, creates a multifunction,modular security system, for network security, secure communications,and protection against malware.

In various embodiments, as mentioned above, a secondary networkinterface 155 (and/or I/O capability within the network security FPGA150, as illustrated in FIGS. 5 and 6) may be utilized for communicationwith a trusted or otherwise nonpublic network or system. For example, asystem administrator may have need to access and update a configurationof the network security FPGA 150. As the network security FPGA 150 isnot visible within the system 100, 200, 400, 500, provision for suchdirect access to the network security FPGA 150 may be highly desirable.

FIG. 4 is a flow diagram illustrating an exemplary or representativemethod embodiment for system 100, 200, 400, 500 configuration andreconfiguration, and provides a useful summary. Beginning with startstep 300 and one or more FPGA 150 configurations (as configuration bitimages) having been stored in a trusted memory 140, the system 100, 200,400, 500 powers on or otherwise starts up, and the FPGA 150 loads thebase communication functionality, such as a PCIe configuration image(and possibly DMA functionality) from nonvolatile memory 140, for system100, 200 (500) embodiments having a network security FPGA 150 as a PCIeendpoint device, or loads the configuration to appear as a communicationdevice to a primary network interface 115 for system 400, 500embodiments as discussed above, step 305. As part of step 305, forsystem 100, 200 (500) embodiments, the communication functionalityspecifically does not include an entire communication or networkprotocol stack, but is typically limited specifically to the physicallayer and the data link layer, such as for PCIe communicationfunctionality, or otherwise limited only to those protocol layers whichdo not result in the network security FPGA 150 being addressable orvisible within the system 100, 200 (500).

The network security FPGA 150 may then commence operations and monitorincoming and outgoing data packets, step 310, may monitor host memory120, step 315, may encrypt outgoing data packets, step 320, and maydecrypt incoming data packets, step 325, and/or any selected one or moreof these various functions. For example, in various exemplaryembodiments, the network security FPGA 150 may be implemented formonitoring functions, without encryption/decryption, and vice-versa, forexample and without limitation. In addition, steps 310, 315, 320 and/or325 may be performed concurrently or sequentially, depending upon theselected embodiment.

When malware may be detected, step 330, a determination may be made asto whether the malware is merely to be monitored, step 335, and if not,the malware data packet is discarded, step 340. When the malware is tobe monitored, the method proceeds to step 315 for monitoring of the hostmemory (and when the system is to remain on (step 360), the methodreturns to step steps 310-325 and continues to iterate). When no malwareis detected in step 330, and when the system is to remain on (step 360),the method returns to step steps 310-325 and continues to iterate.

When the host memory is monitored, step 315, and a potentially unwantedchange in the host memory is detected, step 345, such as a change in thehost operating system, a determination may be made as to whether thechange(s) is merely to be monitored, step 350. When the change to thehost memory, such as the host operating system is to be monitored, themethod returns to step 315 and continues to iterate. When the change tothe host memory is not to be just monitored in step 350, the networksecurity FPGA 150 halts the host CPU 110 and rewrites the host memory120, typically rewriting the stored host operating system portion of thehost memory 120, and when the system is to remain on (step 360), themethod returns to steps 310-325 and continues to iterate. When thesystem 100, 200 is powered off, step 360, the method may end, returnstep 365.

The present disclosure is to be considered as an exemplification of theprinciples of the invention and is not intended to limit the inventionto the specific embodiments illustrated. In this respect, it is to beunderstood that the invention is not limited in its application to thedetails of construction and to the arrangements of components set forthabove and below, illustrated in the drawings, or as described in theexamples. Systems, methods and apparatuses consistent with the presentinvention are capable of other embodiments and of being practiced andcarried out in various ways.

Although the invention has been described with respect to specificembodiments thereof, these embodiments are merely illustrative and notrestrictive of the invention. In the description herein, numerousspecific details are provided, such as examples of electroniccomponents, electronic and structural connections, materials, andstructural variations, to provide a thorough understanding ofembodiments of the present invention. One skilled in the relevant artwill recognize, however, that an embodiment of the invention can bepracticed without one or more of the specific details, or with otherapparatus, systems, assemblies, components, materials, parts, etc. Inother instances, well-known structures, materials, or operations are notspecifically shown or described in detail to avoid obscuring aspects ofembodiments of the present invention. In addition, the various Figuresare not drawn to scale and should not be regarded as limiting.

Reference throughout this specification to “one embodiment”, “anembodiment”, or a specific “embodiment” means that a particular feature,structure, or characteristic described in connection with the embodimentis included in at least one embodiment of the present invention and notnecessarily in all embodiments, and further, are not necessarilyreferring to the same embodiment. Furthermore, the particular features,structures, or characteristics of any specific embodiment of the presentinvention may be combined in any suitable manner and in any suitablecombination with one or more other embodiments, including the use ofselected features without corresponding use of other features. Inaddition, many modifications may be made to adapt a particularapplication, situation or material to the essential scope and spirit ofthe present invention. It is to be understood that other variations andmodifications of the embodiments of the present invention described andillustrated herein are possible in light of the teachings herein and areto be considered part of the spirit and scope of the present invention.

It will also be appreciated that one or more of the elements depicted inthe Figures can also be implemented in a more separate or integratedmanner, or even removed or rendered inoperable in certain cases, as maybe useful in accordance with a particular application. Integrally formedcombinations of components are also within the scope of the invention,particularly for embodiments in which a separation or combination ofdiscrete components is unclear or indiscernible. In addition, use of theterm “coupled” herein, including in its various forms such as “coupling”or “couplable”, means and includes any direct or indirect electrical,structural or magnetic coupling, connection or attachment, or adaptationor capability for such a direct or indirect electrical, structural ormagnetic coupling, connection or attachment, including integrally formedcomponents and components which are coupled via or through anothercomponent.

A CPU or “processor” 110 may be any type of processor, and may beembodied as one or more processors 110, configured, designed, programmedor otherwise adapted to perform the functionality discussed herein. Asthe term processor is used herein, a processor 110 may include use of asingle integrated circuit (“IC”), or may include use of a plurality ofintegrated circuits or other components connected, arranged or groupedtogether, such as controllers, microprocessors, digital signalprocessors (“DSPs”), parallel processors, multiple core processors,custom ICs, application specific integrated circuits (“ASICs”), fieldprogrammable gate arrays (“FPGAs”), adaptive computing ICs, associatedmemory (such as RAM, DRAM and ROM), and other ICs and components,whether analog or digital. As a consequence, as used herein, the termprocessor should be understood to equivalently mean and include a singleIC, or arrangement of custom ICs, ASICs, processors, microprocessors,controllers, FPGAs, adaptive computing ICs, or some other grouping ofintegrated circuits which perform the functions discussed below, withassociated memory, such as microprocessor memory or additional RAM,DRAM, SDRAM, SRAM, MRAM, ROM, FLASH, EPROM or E²PROM. A processor (suchas processor 110), with its associated memory, may be adapted orconfigured (via programming, FPGA interconnection, or hard-wiring) toperform the methodology of the invention, as discussed above. Forexample, the methodology may be programmed and stored, in a processor110 with its associated memory (and/or memory 120) and other equivalentcomponents, as a set of program instructions or other code (orequivalent configuration or other program) for subsequent execution whenthe processor is operative (i.e., powered on and functioning).Equivalently, when the processor 110 may implemented in whole or part asFPGAs, custom ICs and/or ASICs, the FPGAs, custom ICs or ASICs also maybe designed, configured and/or hard-wired to implement the methodologyof the invention. For example, the processor 110 may be implemented asan arrangement of analog and/or digital circuits, controllers,microprocessors, DSPs and/or ASICs, collectively referred to as a“controller”, which are respectively hard-wired, programmed, designed,adapted or configured to implement the methodology of the invention,including possibly in conjunction with a memory 120.

The memory 120, 190, which may include a data repository (or database),may be embodied in any number of forms, including within any computer orother machine-readable data storage medium, memory device or otherstorage or communication device for storage or communication ofinformation, currently known or which becomes available in the future,including, but not limited to, a memory integrated circuit (“IC”), ormemory portion of an integrated circuit (such as the resident memorywithin a processor 110), whether volatile or non-volatile, whetherremovable or non-removable, including without limitation RAM, FLASH,DRAM, SDRAM, SRAM, MRAM, FeRAM, ROM, EPROM or EPROM, or any other formof memory device, such as a magnetic hard drive, an optical drive, amagnetic disk or tape drive, a hard disk drive, other machine-readablestorage or memory media such as a floppy disk, a CDROM, a CD-RW, digitalversatile disk (DVD) or other optical memory, or any other type ofmemory, storage medium, or data storage apparatus or circuit, which isknown or which becomes known, depending upon the selected embodiment.The memory 120 may be adapted to store various look up tables,parameters, coefficients, other information and data, programs orinstructions (of the software of the present invention), and other typesof tables such as database tables.

As indicated above, the processor 110 is hard-wired or programmed, usingsoftware and data structures of the invention, for example, to performthe methodology of the present invention. As a consequence, the systemand method of the present invention may be embodied as software whichprovides such programming or other instructions, such as a set ofinstructions and/or metadata embodied within a non-transitory computerreadable medium, discussed above. In addition, metadata may also beutilized to define the various data structures of a look up table or adatabase. Such software may be in the form of source or object code, byway of example and without limitation. Source code further may becompiled into some form of instructions or object code (includingassembly language instructions or configuration information). Thesoftware, source code or metadata of the present invention may beembodied as any type of code, such as C, C++, SystemC, LISA, XML, Java,Brew, SQL and its variations (e.g., SQL 99 or proprietary versions ofSQL), DB2, Oracle, or any other type of programming language whichperforms the functionality discussed herein, including various hardwaredefinition or hardware modeling languages (e.g., Verilog, VHDL, RTL) andresulting database files (e.g., GDSII). As a consequence, a “construct”,“program construct”, “software construct” or “software”, as usedequivalently herein, means and refers to any programming language, ofany kind, with any syntax or signatures, which provides or can beinterpreted to provide the associated functionality or methodologyspecified (when instantiated or loaded into a processor or computer andexecuted, including the processor 110, for example).

The software, metadata, or other source code of the present inventionand any resulting bit file (object code, database, or look up table) maybe embodied within any tangible, non-transitory storage medium, such asany of the computer or other machine-readable data storage media, ascomputer-readable instructions, data structures, program modules orother data, such as discussed above with respect to the memory 120, 190,e.g., a floppy disk, a CDROM, a CD-RW, a DVD, a magnetic hard drive, anoptical drive, or any other type of data storage apparatus or medium, asmentioned above.

Furthermore, any signal arrows in the drawings/Figures should beconsidered only exemplary, and not limiting, unless otherwisespecifically noted. Combinations of components of steps will also beconsidered within the scope of the present invention, particularly wherethe ability to separate or combine is unclear or foreseeable. Thedisjunctive term “or”, as used herein and throughout the claims thatfollow, is generally intended to mean “and/or”, having both conjunctiveand disjunctive meanings (and is not confined to an “exclusive or”meaning), unless otherwise indicated. As used in the description hereinand throughout the claims that follow, “a”, “an”, and “the” includeplural references unless the context clearly dictates otherwise. Also asused in the description herein and throughout the claims that follow,the meaning of “in” includes “in” and “on” unless the context clearlydictates otherwise.

The foregoing description of illustrated embodiments of the presentinvention, including what is described in the summary or in theabstract, is not intended to be exhaustive or to limit the invention tothe precise forms disclosed herein. From the foregoing, it will beobserved that numerous variations, modifications and substitutions areintended and may be effected without departing from the spirit and scopeof the novel concept of the invention. It is to be understood that nolimitation with respect to the specific methods and apparatusillustrated herein is intended or should be inferred. It is, of course,intended to cover by the appended claims all such modifications as fallwithin the scope of the claims.

It is claimed:
 1. An apparatus comprising: a network interface circuitcoupleable to one or more communication lines for communication with ahost computing system; a first memory circuit; and a configurableprocessor circuit coupled to the first nonvolatile memory circuit and tothe network interface circuit, the configurable processor circuitconfigured to appear as a communication circuit or a communicationdevice to the network interface circuit, and the configurable processorfurther configured to monitor data packets transferred between thenetwork interface circuit and the host computing system or transferredbetween a data network and the network interface circuit and to detect amalware data packet from a data network or from the host computingsystem.
 2. The apparatus of claim 1, wherein the configurable processorcircuit is further configured, in response to the detection of themalware data packet from the host computing system, to halt the hostcomputing system.
 3. The apparatus of claim 1, wherein the configurableprocessor circuit is further configured, in response to the detection ofthe malware data packet from the data network, to discard the malwaredata packet or to monitor an operation implemented using the malwaredata packet.
 4. The apparatus of claim 1, wherein the configurableprocessor circuit is further configured to monitor a host memory and, inresponse to an unauthorized modification, to halt a host processor andrestore a host operating system.
 5. The apparatus of claim 1, whereinthe first memory circuit is a nonvolatile memory circuit storing aconfiguration bit image and the configurable processor circuit isconfigured using the configuration bit image to appear as thecommunication circuit or the communication device and to benonaddressable by the data network or the host computing system.
 6. Theapparatus of claim 5, wherein the first memory circuit further stores anoperating system image, and the configurable processor circuit isfurther configured to monitor a host operating system and, in responseto an unauthorized modification, to restore the host operating systemusing the operating system image.
 7. The apparatus of claim 1, furthercomprising: a second memory circuit storing an operating system image;wherein the configurable processor circuit is further configured tomonitor a host operating system and, in response to an unauthorizedmodification, to restore the host operating system using the operatingsystem image.
 8. The apparatus of claim 1, wherein the configurableprocessor circuit is further configured to decrypt data packets from thedata network and to encrypt data packets from the network interfacecircuit or the host computing system.
 9. The apparatus of claim 1,wherein the one or more communication lines are at least part of aninterconnect and the configurable processor circuit, the networkinterface circuit, and the first memory circuit are coupled to theinterconnect though one or more interconnect data switches.
 10. Theapparatus of claim 1, wherein the configurable processor circuit isconfigured to appear as the communication circuit or the communicationdevice using a configuration bit image for solely a partialimplementation of a communication protocol.
 11. The apparatus of claim10, wherein the partial implementation of the communication protocol isa physical layer of the communication protocol, or both the physicallayer and a data link layer of the communication protocol.
 12. Anapparatus comprising: a network interface circuit coupleable to one ormore communication lines for communication with a host computing system;a memory circuit storing a configuration bit image; and a configurablelogic element coupled to the memory circuit and to the network interfacecircuit, the configurable logic element configured using theconfiguration bit image to have a partial implementation of acommunication protocol to appear as a communication circuit or acommunication device to the network interface circuit, and theconfigurable logic element configured to monitor data packetstransferred to or from the host computing system and to detect a malwaredata packet.
 13. The apparatus of claim 12, wherein the partialimplementation of the communication protocol is a physical layer of thecommunication protocol, or both the physical layer and a data link layerof the communication protocol.
 14. The apparatus of claim 12, whereinthe configurable logic element is further configured, in response todetection of the malware data packet to perform at least one actionselected from the group consisting of: halt the host computing system;discard the malware data packet; monitor an operation implemented usingthe malware data packet; monitor a host memory; monitor a host operatingsystem; halt a host processor; restore the host operating system; andcombinations thereof.
 15. The apparatus of claim 12, wherein theconfigurable logic element is further configured to decrypt data packetsfrom a data network and to encrypt data packets from the networkinterface circuit or the host computing system.
 16. The apparatus ofclaim 12, wherein the network interface circuit further comprises aserial gigabit media independent interface port, and wherein theconfigurable logic element is further configured with a device name anda link speed to appear as the communication circuit or the communicationdevice to the serial gigabit media independent interface port.
 17. Asystem comprising: a network interface circuit coupled through aninterconnect or an interconnect switch for communication with a hostcomputing system; a nonvolatile memory circuit storing configurationdata; and a configurable processor circuit coupled to the nonvolatilememory and to the network interface circuit, the configurable processorcircuit configured using the configuration data to appear as acommunication circuit or a communication device to the network interfacecircuit, the configurable processor further configured to monitor datapackets and to detect a malware data packet transferred between thenetwork interface circuit and the host computing system or transferredbetween a data network and the network interface circuit.
 18. Thenetwork interface system of claim 17, wherein the configurable processorcircuit is further coupled through the interconnect or the interconnectswitch for communication with the host computing system.
 19. The networkinterface system of claim 17, wherein the configurable processor circuitis further configured, in response to detection of the malware datapacket, to perform at least one action selected from the groupconsisting of: halt the host computing system; discard the malware datapacket; monitor an operation implemented using the malware data packet;monitor a host memory; monitor a host operating system; halt a hostprocessor; restore the host operating system; and combinations thereof.20. The network interface system of claim 17, wherein the configurableprocessor circuit is configured to appear solely as the communicationcircuit or the communication device by configuring solely for a physicallayer of a communication protocol, or both the physical layer and a datalink layer of the communication protocol.
 21. A method comprising: usinga configurable circuit configured to appear as a communication circuitor a communication device to a network interface circuit, monitoring aplurality of data packets transferred between the network interfacecircuit and a host computing system or transferred between a datanetwork and the network interface circuit, for detection of a malwaredata packet; and in response to a detection of the malware data packet,using the configurable circuit, performing at least one action selectedfrom the group consisting of: halting the host computing system;discarding the malware data packet; monitoring an operation implementedusing the malware data packet; monitoring a host memory of the hostcomputing system; monitoring a host operating system; halting a hostprocessor; restoring the host operating system; and combinationsthereof; and in response to detection of a change in an operating systemstored in the host memory, using the configurable circuit, halting thehost processor and rewriting the operating system in the host memory.22. The method of claim 21, wherein the configurable circuit is furtherconfigured with a device name and link speed to appear as thecommunication circuit or the communication device to a serial gigabitmedia independent interface port of the network interface circuit. 23.The method of claim 21, wherein the configurable circuit is configuredto appear as the communication circuit or the communication device usinga configuration bit image for solely a partial implementation of acommunication or network protocol.
 24. The method of claim 23, whereinthe partial implementation of the communication or network protocol is aphysical layer of the communication or network protocol, or both thephysical layer and a data link layer of the communication or networkprotocol.
 25. The method of claim 21, further comprising: using theconfigurable circuit, decrypting data packets from the data network andencrypting data packets from the network interface circuit or the hostcomputing system.